Supply Chain Sarbanes Oxley Supply Chain SarBox Supply Chain SOX Supply Chain Corporate Governance Supply Chain Integrity

Policies, procedures, authorizations, security checks - all these are included in good control activities. And certainly these control activities should be documented!

Note that control activities include the steps to accomplish something and the restrictions (security checks) that exist around and at each step. The restrictions are likely to be at the step level because a person or a user role will be assigned to complete each step. And at each step a different person or user role will likely be required. An example of this is the creation of payment checks to suppliers. The person who authorizes the payments (checks) to run will likely not be the same person to actually run (print) the checks, and the person in charge of signing the checks is expected to be a different person too.

Control activities also include what is / is not acceptable behavior. The employee manual, for example, is a very important document that describes, in part, what is and is not acceptable behavior for an employee. The employee manual also should describe the repercussions for such behavior. Also, if the employee needs to know the procedure to report unacceptable behavior that affects them.

Control activity documentation may also include product lifecycle management procedures, manufacturing operations steps, and how to requisition travel advances.

While many of the aforementioned control activity documents are used in the internal supply chain, there is one very important control activity document used in the external supply chain: the vendor compliance manual.

The vendor compliance manual is like the employee manual for an organization's suppliers; it describes what is and is not acceptable supplier behavior (i.e. the gift-giving policy). The vendor compliance manual also dictates supplier performance expectations via performance metrics against which the vendor scorecard will be calculated.

The failure to document acceptable (or unacceptable) behavior, business processes, steps, activities, etc., can leave an organization exposed to unnecessary risk, especially when it comes time to hold the perpetrators of bad behavior accountable for their actions or lack of action when it was needed.